Skip to content

Instantly share code, notes, and snippets.

@alexplaskett

alexplaskett/ntfs-wnf-1.c Secret

Created Jul 15, 2021
Embed
What would you like to do?
__int64 __fastcall NtfsQueryEaUserEaList(__int64 a1, __int64 eas_blocks_for_file, __int64 a3, __int64 out_buf, unsigned int out_buf_length, unsigned int *a6, char a7)
{
unsigned int padding; // er15
padding = 0;
for ( i = a6; ; i = (unsigned int *)((char *)i + *i) )
{
if ( i == v11 )
{
v15 = occupied_length;
out_buf_pos = (_DWORD *)(out_buf + padding + occupied_length);
if ( (unsigned __int8)NtfsLocateEaByName(
ea_blocks_for_file,
*(unsigned int *)(a3 + 4),
&DestinationString,
&ea_block_pos) )
{
ea_block = (FILE_FULL_EA_INFORMATION *)(ea_blocks_for_file + ea_block_pos);
ea_block_size = ea_block->EaNameLength + ea_block->EaValueLength + 9; // Attacker controlled from Ea
if ( ea_block_size <= out_buf_length - padding ) // The check which can underflow
{
memmove(out_buf_pos, ea_block, ea_block_size);
*out_buf_pos = 0;
goto LABEL_8;
}
}
*((_BYTE *)out_buf_pos + *((unsigned __int8 *)v11 + 4) + 8) = 0;
LABEL_8:
v18 = ea_block_size + padding + v15;
occupied_length = v18;
if ( !a7 )
{
if ( v23 )
*v23 = (_DWORD)out_buf_pos - (_DWORD)v23;
if ( *v11 )
{
v23 = out_buf_pos;
out_buf_length -= ea_block_size + padding;
padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;
goto LABEL_24;
}
}
LABEL_12:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment